Red Hat Bugzilla – Bug 1508486
AVC denial about chronyc, chronyd_t, and chronyc_exec_t
Last modified: 2018-04-10 08:46:56 EDT
Description of problem: When docker is started, it likely does something to chronyd which leads to chrony-helper invocation. That produces AVC denials. Version-Release number of selected component (if applicable): docker-1.12.6-61.git85d7426.el7.x86_64 chrony-3.2-1.el7.x86_64 selinux-policy-3.13.1-175.el7.noarch How reproducible: Deterministic. Steps to Reproduce: 1. Install docker from Extras. 2. systemctl start docker 3. Check audit.log Actual results: type=AVC msg=audit(1509545489.744:85): avc: denied { execute_no_trans } for pid=13062 comm="chrony-helper" path="/usr/bin/chronyc" dev="dm-0" ino=283534 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:chronyc_exec_t:s0 tclass=file Expected results: No AVC denial. Additional info:
I believe this is RHEL version of Fedora bug 1507478.
On RHEL 7.5, I see # ls -laZ /usr/bin/chronyc -rwxr-xr-x. root root system_u:object_r:chronyc_exec_t:s0 /usr/bin/chronyc On RHEL 7.4 with selinux-policy-3.13.1-166.el7_4.5.noarch, there is # ls -laZ /usr/bin/chronyc -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/chronyc
Jan, You're right. This should be fixed in RHEL-7.5. Adding devel_ack+. Thanks, Lukas.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763